Amazon Exam Questions AWS-Certified-Solutions-Architect-Professional Amazon AWS Certified Solutions Architect Professional

Certshared now are offering 100% pass ensure AWS-Certified-Solutions-Architect-Professional dumps! https://www.certshared.com/exam/AWS-Certified-Solutions-Architect-Professional/ (398 Q&As)

NEW QUESTION 1 An organization is planning to extend their data center by connecting their DC with the AWS VPC using the VPN gateway. The organization is setting up a dynamically routed VPN connection. Which of the below mentioned answers is not required to setup this configuration?

A. The type of customer gateway, such as Cisco ASA, Juniper J-Series, Juniper SSG, Yamaha. B. Elastic IP ranges that the organization wants to advertise over the VPN connection to the VPC. C. Internet-routable IP address (static) of the customer gateway's external interface. D. Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gatewa

Answer: B

Explanation: The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. The organization wants to extend their network into the cloud and also directly access the internet from their AWS VPC. Thus, the organization should setup a Virtual Private Cloud (VPC) with a public subnet and a private subnet, and a virtual private gateway to enable communication with their data center network over an IPsec VPN tunnel. To setup this configuration the organization needs to use the Amazon VPC with a VPN connection. The organization network administrator must designate a physical appliance as a customer gateway and configure it. The organization would need the below mentioned information to setup this configuration: The type of customer gateway, such as Cisco ASA, Juniper J-Series, Juniper SSG, Yamaha Internet-routable IP address (static) of the customer gateway's external interface Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway, if the organization is creating a dynamically routed VPN connection. Internal network IP ranges that the user wants to advertise over the VPN connection to the VPC. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmI

NEW QUESTION 2 An organization is planning to host a Wordpress blog as well a joomla CMS on a single instance launched with VPC. The organization wants to have separate domains for each application and assign them using Route 53. The organization may have about ten instances each with two applications as mentioned above. While launching the instance, the organization configured two separate network interfaces (primary + ENI) and wanted to have two elastic IPs for that instance. It was suggested to use a public IP from AWS instead of an elastic IP as the number of elastic IPs is restricted. What action will you recommend to the organization?

A. I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs. B. I do not agree as it is required to have only an elastic IP since an instance has more than one ENI and AWS does not assign a public IP to an instance with multiple ENIs. C. I do not agree as AWS VPC does not attach a public IP to an ENI; so the user has to use only an elastic IP only. D. I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.

Answer: B

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC. The user can attach up to two ENIs with a single instance. However, AWS cannot assign a public IP when there are two ENIs attached to a single instance. It is recommended to assign an elastic IP in this scenario. If the organization wants more than 5 E|Ps they can request AWS to increase the number. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.htmI

NEW QUESTION 3 What is the default maximum number of VPCs allowed per region?

A. 5 B. 10 C. 100 D. 15

Answer: A

Explanation: The maximum number of VPCs allowed per region is 5. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

NEW QUESTION 4 A customer has a website which shows all the deals available across the market. The site experiences a load of 5 large EC2 instances generally. However, a week before ThanksgMng vacation they encounter a load of almost 20 large instances. The load during that period varies over the day based on the office timings. Which of the below mentioned solutions is cost effective as well as help the website achieve better performance?

A. Setup to run 10 instances during the pre-vacation period and only scale up during the office time by launching 10 more instances using the AutoScaIing schedule. B. Keep only 10 instances running and manually launch 10 instances every day during office hours. C. During the pre-vacation period setup 20 instances to run continuously. D. During the pre-vacation period setup a scenario where the organization has 15 instances running and 5 instances to scale up and down using Auto Scaling based on the network I/O policy.

Answer: D

Explanation: AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On-Demand instances and the organization should create an AMI of the running instance. When the organization is experiencing varying loads and the time of the load is not known but it is higher than the routine traffic it is

Guaranteed success with Our exam guides visit - https://www.certshared.com Certshared now are offering 100% pass ensure AWS-Certified-Solutions-Architect-Professional dumps! https://www.certshared.com/exam/AWS-Certified-Solutions-Architect-Professional/ (398 Q&As) recommended that the organization launches a few instances before hand and then setups AutoScaIing with policies which scale up and down as per the EC2 metrics, such as Network I/O or CPU utilization. If the organization keeps all 10 additional instances as a part of the AutoScaIing policy sometimes during a sudden higher load it may take time to launch instances and may not give an optimal performance. This is the reason it is recommended that the organization keeps an additional 5 instances running and the next 5 instances scheduled as per the AutoScaIing policy for cost effectiveness. Reference: http://media.amazonwebservices.com/AWS_Web_Hosting_Best_Practices.pdf

NEW QUESTION 5 In which step of using AWS Direct Connect should the user determine the required port speed?

A. Complete the Cross Connect B. Verify Your Virtual Interface C. Download Router Configuration D. Submit AWS Direct Connect Connection Request

Answer: D

Explanation: To submit an AWS Direct Connect connection request, you need to provide the following information: Your contact information. The AWS Direct Connect Location to connect to. Details of AWS Direct Connect partner if you use the AWS Partner Network (APN) service. The port speed you require, either 1 Gbps or 10 Gbps. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.htmI#ConnectionRequest

NEW QUESTION 6 In Amazon IAM, what is the maximum length for a role name?

A. 128 characters B. 512 characters C. 64 characters D. 256 characters

Answer: C

Explanation: In Amazon IAM, the maximum length for a role name is 64 characters. Reference: http://docs.aws.amazon.com/IANI/latest/UserGuide/LimitationsOnEntities.html

NEW QUESTION 7 You have subscribed to the AWS Business and Enterprise support plan. Your business has a backlog of problems, and you need about 20 of your IAM users to open technical support cases. How many users can open technical support cases under the AWS Business and Enterprise support plan?

A. 5 users B. 10 users C. Unlimited D. 1 user

Answer: C

Explanation: In the context of AWS support, the Business and Enterprise support plans allow an unlimited number of users to open technical support cases (supported by AWS Identity and Access Management (IAM)). Reference: https://aws.amazon.com/premiumsupport/faqs/

NEW QUESTION 8 While implementing the policy keys in AWS Direct Connect, if you use and the request comes from an Amazon EC2 instance, the instance's public IP address is evaluated to determine if access is allowed.

A. aws:SecureTransport B. aws:EpochIP C. aws:SourceIp D. aws:CurrentTime

Answer: C

Explanation: While implementing the policy keys in Amazon RDS, if you use aws:SourceIp and the request comes from an Amazon EC2 instance, the instance's public IP address is evaluated to determine if access is allowed. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/using_iam.htmI

NEW QUESTION 9 A user has created a NIySQL RDS instance with PIOPS. Which of the below mentioned statements will help user understand the advantage of PIOPS?

A. The user can achieve additional dedicated capacity for the EBS I/O with an enhanced RDS option B. It uses a standard EBS volume with optimized configuration the stacks C. It uses optimized EBS volumes and optimized configuration stacks D. It provides a dedicated network bandwidth between EBS and RDS

Answer: C

Explanation: RDS DB instance storage comes in two types: standard and provisioned IOPS. Standard storage is allocated on the Amazon EBS volumes and connected to the user’s DB instance. Provisioned IOPS uses optimized EBS volumes and an optimized configuration stack. It provides additional, dedicated capacity for the EBS I/O. Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

NEW QUESTION 10 lV|apMySite is setting up a web application in the AWS VPC. The organization has decided to use an AWS RDS instead of using its own DB instance for HA and DR requirements. The organization also wants to secure RDS access. How should the web application be setup with RDS?

A. Create a VPC with one public and one private subne B. Launch an application instance in the public subnet while RDS is launched in the private subnet. C. Setup a public and two private subnets in different AZs within a VPC and create a subnet grou D. Launch RDS with that subnet group. E. Create a network interface and attach two subnets to i F. Attach that network interface with RDS while launching a DB instance. G. Create two separate VPCs and launch a Web app in one VPC and RDS in a separate VPC and connect them with VPC peering.

Answer: B

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources, such as RDS into a virtual network that the user has defined. Subnets are segments of a VPC's IP address range that the user can designate to a group of VPC resources based on the security and operational needs. A DB subnet group is a collection of subnets (generally private) that a user can create in a VPC and assign to the RDS DB instances. A DB subnet group allows the user to specify a particular VPC when creating the DB instances. Each DB subnet group should have subnets in at least two Availability Zones in a given region. Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html

NEW QUESTION 10 When does an AWS Data Pipeline terminate the AWS Data Pipeline-managed compute resources?

A. AWS Data Pipeline terminates AWS Data Pipeline-managed compute resources every 2 hours. B. When the final actMty that uses the resources is running C. AWS Data Pipeline terminates AWS Data Pipeline-managed compute resources every 12 hours. D. When the final actMty that uses the resources has completed successfully orfailed

Answer: D

Explanation: Compute resources will be provisioned by AWS Data Pipeline when the first actMty for a scheduled time that uses those resources is ready to run, and those instances will be terminated when the final actMty that uses the resources has completed successfully or failed. Reference: https://aws.amazon.com/datapipe|ine/faqs/

NEW QUESTION 15 What bandwidths do AWS Direct Connect currently support?

A. 10Mbps and 100Mbps B. 10Gbps and 100Gbps C. 100Mbps and 1Gbps D. 1Gbps and 10 Gbps

Answer: D

Explanation: AWS Direct Connection currently supports 1Gbps and 10 Gbps. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

NEW QUESTION 19 The Statement element, of an AWS IAM policy, contains an array of indMdual statements. Each indMdual statement is a(n) block enclosed in braces { }.

A. XML B. JavaScript C. JSON D. AJAX

Answer: C

Explanation: The Statement element, of an IAM policy, contains an array of indMdual statements. Each indMdual statement is a JSON block enclosed in braces { }. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPoIicyLanguage_EIementDescriptions.html

NEW QUESTION 23 If no explicit deny is found while applying IAM's Policy Evaluation Logic, the enforcement code looks for any instructions that would apply to the request.

A. "cancel"

B. "suspend" C. "a||ow" D. "vaIid"

Answer: C

Explanation: If an explicit deny is not found among the applicable policies for a specific request, IAM's Policy Evaluation Logic checks for any "aIIow" instructions to check if the request can be successfully completed. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPoIicyLanguage_EvaIuationLogic.htmI

NEW QUESTION 27 Regarding Amazon SNS, you can send notification messages to mobile devices through any of the following supported push notification services, EXCEPT:

A. Microsoft Windows Mobile Messaging (MWMM) B. Google Cloud Messaging for Android (GCM) C. Amazon Device Messaging (ADM) D. Apple Push Notification Service (APNS)

Answer: A

Explanation: In Amazon SNS, you have the ability to send notification messages directly to apps on mobile devices. Notification messages sent to a mobile endpoint can appear in the mobile app as message alerts, badge updates, or even sound alerts. Microsoft Windows Mobile Messaging (MWMM) doesn’t exist and is not supported by Amazon SNS. Reference: http://docs.aws.amazon.com/sns/Iatest/dg/SNSMobiIePush.htm|

NEW QUESTION 28 You want to define permissions for a role in an IAM policy. Which of the following configuration formats should you use?

A. An XML document written in the IAM Policy Language B. An XML document written in a language of your choice C. A JSON document written in the IAM Policy Language D. A JSON document written in a language of your choice

Answer: C

Explanation: You define the permissions for a role in an IAM policy. An IAM policy is a JSON document written in the IAM Policy Language. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_ro|es_terms-and-concepts.html

NEW QUESTION 33 IAM Secure And Scalable is an organization which provides scalable and secure SAAS to its clients. They are planning to host a web server and App server on AWS VPC as separate tiers. The organization wants to implement the scalability by configuring Auto Scaling and load balancer with their app servers (middle tier) too. Which of the below mentioned options suits their requirements?

A. Since ELB is internet facing, it is recommended to setup HAProxy as the Load balancer within the VPC. B. Create an Internet facing ELB with VPC and configure all the App servers with it. C. The user should make ELB with EC2-CLASSIC and enable SSH with it for security. D. Create an Internal Load balancer with VPC and register all the App sewers with i

Answer: D

NEW QUESTION 35 True or False: Amazon EIastiCache supports the Redis key-value store.

A. True, EIastiCache supports the Redis key-value store, but with limited functionalities. B. False, EIastiCache does not support the Redis key-value store. C. True, EIastiCache supports the Redis key-value store. D. False, EIastiCache supports the Redis key-value store only if you are in a VPC environmen

Answer: C

Explanation: This is true. EIastiCache supports two open-source in-memory caching engines: 1. Memcached - a widely adopted memory object caching system. EIastiCache is protocol compliant with Memcached, so popular tools that you use today with existing Nlemcached environments will work seamlessly with the service. 2. Redis - a popular open-source in-memory key-value store that supports data structures such as sorted sets and lists. EIastiCache supports Master / Slave replication and Multi-AZ which can be used to achieve cross AZ redundancy.

Reference: https://aws.amazon.com/eIasticache/

NEW QUESTION 40 An organization is setting up an application on AWS to have both High Availabilty (HA) and Disaster Recovery (DR). The organization wants to have both Recovery point objective (RPO) and Recovery time objective (RTO) of 10 minutes. Which of the below mentioned service configurations does not help the organization achieve the said RPO and RTO?

A. Take a snapshot of the data every 10 minutes and copy it to the other region. B. Use an elastic IP to assign to a running instance and use Route 53 to map the user’s domain with that IP. C. Create ELB with multi- region routing to allow automated failover when required. D. Use an AMI copy to keep the AMI available in other region

Answer: C

Explanation: AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On-Demand instances and the organization should create an AMI of the running instance. Copy the AMI to another region to enable Disaster Recovery (DR) in case of region failure. The organization should also use EBS for persistent storage and take a snapshot every 10 minutes to meet Recovery time objective (RTO). They should also setup an elastic IP and use it with Route 53 to route requests to the same IP. When one of the instances fails the organization can launch new instances and assign the same EIP to a new instance to achieve High Availability (HA). The ELB works only for a particular region and does not route requests across regions. Reference: http://d36cz9buwru1tt.c|oudfront.net/AWS_Disaster_Recovery.pdf

NEW QUESTION 41 An organization is having an application which can start and stop an EC2 instance as per schedule. The organization needs the MAC address of the instance to be registered with its software. The instance is launched in EC2-CLASSIC. How can the organization update the MAC registration every time an instance is booted?

A. The organization should write a boot strapping script which will get the MAC address from the instance metadata and use that script to register with the application. B. The organization should provide a MAC address as a part of the user dat C. Thus, whenever the instance is booted the script assigns the fixed MAC address to that instance. D. The instance MAC address never change E. Thus, it is not required to register the MAC address every time. F. AWS never provides a MAC address to an instance; instead the instance ID is used for identifying the instance for any software registration.

Answer: A

Explanation: AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On-Demand instances. AWS does not provide a fixed MAC address to the instances launched in EC2-CLASSIC. If the instance is launched as a part of EC2-VPC, it can have an ENI which can have a fixed MAC. However, with EC2-CLASSIC, every time the instance is started or stopped it will have a new MAC address. To get this MAC, the organization can run a script on boot which can fetch the instance metadata and get the MAC address from that instance metadata. Once the MAC is received, the organization can register that MAC with the software. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html

NEW QUESTION 46 What feature of the load balancing service attempts to force subsequent connections to a service to be redirected to the same node as long as it is online?

A. Node balance B. Session retention C. Session multiplexing D. Session persistence

Answer: D

Explanation: Session persistence is a feature of the load balancing service. It attempts to force subsequent connections to a service to be redirected to the same node as long as it is online. Reference: http://docs.rackspace.com/Ioadbalancers/api/v1.0/clb-devguide/content/Concepts-d1e233.htmI

NEW QUESTION 50 What types of identities do Amazon Cognito identity pools support?

A. They support both authenticated and unauthenticated identities. B. They support only unauthenticated identities. C. They support neither authenticated nor unauthenticated identities. D. They support only authenticated identitie

Answer: A

Explanation: Amazon Cognito identity pools support both authenticated and unauthenticated identities. Authenticated identities belong to users who are authenticated by a public login provider or your own backend authentication process. Unauthenticated identities typically belong to guest users. Reference: http://docs.aws.amazon.com/cognito/devguide/identity/identity-poo|s/

NEW QUESTION 51 The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows

A. "Effect": "AIIow", "Action": ["Describe"], "Resource": "BiIIing" B. "Effect": "AIIow", "Action": ["aws-portal: ViewBi||ing"], "Resource": "*" C. "Effect": "AIIow", "Action": ["aws-portaI:ViewUsage"], "Resource": "*" D. "Effect": "AIIow", "Action": ["AccountUsage], "Resource": "*"

Answer: C

Explanation: AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the CFO wants to allow only AWS usage report page access, the policy for that IAM user will be as given below: { "Version": "2012-10-17", "Statement": [ { "Effect": "A||ow", "Action": [ "aws-portaI:ViewUsage" ]! "Resource": "*" } I } Reference: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html

NEW QUESTION 56 An organization has created 5 IAM users. The organization wants to give them the same login ID but different passwords. How can the organization achieve this?

A. The organization should create each user in a separate region so that they have their own URL to login B. The organization should create a separate login ID but give the IAM users the same alias so that each one can login with their alias C. It is not possible to have the same login ID for multiple IAM users of the same account D. The organization should create various groups and add each user with the same login ID to different group E. The user can login with their own group ID

Answer: C

Explanation: AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. Whenever the organization is creating an IAM user, there should be a unique ID for each user. It is not possible to have the same login ID for multiple users. The names of users, groups, roles, instance profiles must be alphanumeric, including the following common characters: plus (+), equal (=), comma (,), period (.), at (@), and dash (-). Reference: http://docs.aws.amazon.com/IAM/Iatest/UserGuide/Using_SettingUpUser.htmI

NEW QUESTION 59 A user is planning to use EBS for his DB requirement. The user already has an EC2 instance running in the VPC private subnet. How can the user attach the EBS volume to a running instance?

A. The user can create EBS in the same zone as the subnet of instance and attach that EBS to instance. B. It is not possible to attach an EBS to an instance running in VPC until the instance is stopped. C. The user can specify the same subnet while creating EBS and then attach it to a running instance. D. The user must create EBS within the same VPC and then attach it to a running instance.

Answer: A

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC is always specific to a region. The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. The instance launched will always be in the same availability zone of the respective subnet. When creating an EBS the user cannot specify the subnet or VPC. However, the user must create the EBS in the same zone as the instance so that it can attach the EBS volume to the running instance. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.htmI#VPCSubnet

NEW QUESTION 64 An organization is planning to setup a management network on the AWS VPC. The organization is trying to secure the webserver on a single VPC instance such that it allows the internet traffic as well as the back-end management traffic. The organization wants to make so that the back end management network interface can receive the SSH traffic only from a selected IP range, while the internet facing webserver will have an IP address which can receive traffic from all the internet IPs. How can the organization achieve this by running web server on a single instance?

A. It is not possible to have two IP addresses for a single instance. B. The organization should create two network interfaces with the same subnet and security group to assign separate IPs to each network interface. C. The organization should create two network interfaces with separate subnets so one instance can have two subnets and the respective security groups for controlled access. D. The organization should launch an instance with two separate subnets using the same network interface which allows to have a separate CIDR as well as security groups.

Answer: C

Guaranteed success with Our exam guides visit - https://www.certshared.com Certshared now are offering 100% pass ensure AWS-Certified-Solutions-Architect-Professional dumps! https://www.certshared.com/exam/AWS-Certified-Solutions-Architect-Professional/ (398 Q&As) the instance handles the public facing traffic and the primary network interface handles the back-end management traffic and it is connected to a separate subnet in the VPC that has more restrictive access controls. The public facing interface, which may or may not be behind a load balancer, has an associated security group to allow access to the server from the internet while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the internet, a private subnet within the VPC or a virtual private gateway. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.htmI

NEW QUESTION 67 A user is trying to create a vault in AWS Glacier. The user wants to enable notifications. In which of the below mentioned options can the user enable the notifications from the AWS console?

A. Glacier does not support the AWS console B. Archival Upload Complete C. Vault Upload Job Complete D. Vault Inventory Retrieval Job Complete

Answer: D

Explanation: From AWS console the user can configure to have notifications sent to Amazon Simple Notifications Service (SNS). The user can select specific jobs that, on completion, will trigger the notifications such as Vault Inventory Retrieval Job Complete and Archive Retrieval Job Complete. Reference: http://docs.aws.amazon.com/amazongIacier/latest/dev/configuring-notifications-console.html

NEW QUESTION 69 An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records. How can the organization meet the expectations of the auditor without compromising on the security of their AWS infrastructure?

A. The organization should not accept the request as sharing the credentials means compromising on security. B. Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor. C. Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor. D. The organization should create an IAM user with VPC full access but set a condition that will not allow to modify anything if the request is from any IP other than the organization’s data center.

Answer: C

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC also works with IAM and the organization can create IAM users who have access to various VPC services. If an auditor wants to have access to the AWS VPC to verify the rules, the organization should be careful before sharing any data which can allow making updates to the AWS infrastructure. In this scenario it is recommended that the organization creates an IAM user who will have read only access to the VPC. Share the above mentioned credentials with the auditor as it cannot harm the organization. The sample policy is given below: { "Effect":"AI|ow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeInternetGateways", "ec2:DescribeCustomerGateways", "ec2:DescribeVpnGateways", "ec2:DescribeVpnConnections", "ec2:DescribeRouteTabIes", "ec2:DescribeAddresses", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcIs", "ec2:DescribeDhcpOptions", "ec2:DescribeTags", "ec2:DescribeInstances" ]! "Resource":"*" } Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IANI.htmI

NEW QUESTION 74 An organization is planning to create a secure scalable application with AWS VPC and ELB. The organization has two instances already running and each instance has an ENI attached to it in addition to a primary network interface. The primary network interface and additional ENI both have an elastic IP attached to it. If those instances are registered with ELB and the organization wants ELB to send data to a particular EIP of the instance, how can they achieve this?

A. The organization should ensure that the IP which is required to receive the ELB traffic is attached to a primary network interface. B. It is not possible to attach an instance with two EN|s with ELB as it will give an IP conflict error. C. The organization should ensure that the IP which is required to receive the ELB traffic is attached to an additional ENI. D. It is not possible to send data to a particular IP as ELB will send to any one EI

Answer: A

Explanation: Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an ELB, and EC2 instances. There are two ELBs available with VPC: internet facing and internal (private) ELB. For the internet facing ELB it is required that the ELB should be in a public subnet. When the user registers a multi-homed instance (an instance that has an Elastic Network Interface (ENI) attached) with a load balancer, the load balancer will route the traffic to the IP address of the primary network interface (eth0). Reference: http://docs.aws.amazon.com/E|asticLoadBaIancing/latest/DeveIoperGuide/gs-ec2VPC.html

NEW QUESTION 75 What is the maximum length for a certificate ID in AWS IAM?

A. 1024 characters B. 512 characters C. 64 characters

D. 128 characters

Answer: D

Explanation: The maximum length for a certificate ID is 128 characters. Reference: http://docs.aws.amazon.com/IANI/latest/UserGuide/LimitationsOnEntities.html

NEW QUESTION 79 A user is trying to create a PIOPS EBS volume with 3 GB size and 90 IOPS. Will AWS create the volume?

A. No, since the PIOPS and EBS size ratio is less than 30 B. Yes, since the ratio between EBS and IOPS is less than 30 C. No, the EBS size is less than 4GB D. Yes, since PIOPS is higher than 100

Answer: C

Explanation: A Provisioned IOPS (SSD) volume can range in size from 4 GiB to 16 TiB and you can provision up to 20,000 IOPS per volume. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVo|umeTypes.htmI#EBSVo|umeTypes_pio ps

NEW QUESTION 84 A user has configured EBS volume with PIOPS. The user is not experiencing the optimal throughput. Which of the following could not be factor affecting I/O performance of that EBS volume?

A. EBS bandwidth of dedicated instance exceeding the PIOPS B. EC2 bandwidth C. EBS volume size D. Instance type is not EBS optimized

Answer: C

Explanation: If the user is not experiencing the expected IOPS or throughput that is provisioned, ensure that the EC2 bandwidth is not the limiting factor, the instance is EBS- optimized (or include 10 Gigabit network connectMty) and the instance type EBS dedicated bandwidth exceeds the IOPS more than he has provisioned. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html

NEW QUESTION 85 Which of the following cache engines does Amazon EIastiCache support?

A. Amazon EIastiCache supports Memcached and Redis. B. Amazon EIastiCache supports Redis and WinCache. C. Amazon EIastiCache supports Memcached and Hazelcast. D. Amazon EIastiCache supports Memcached onl

Answer: A

Explanation: The cache engines supported by Amazon EIastiCache are Memcached and Redis. Reference: http://docs.aws.amazon.com/AmazonEIastiCache/latest/UserGuide/SeIectEngine.html

NEW QUESTION 89 In a VPC, can you modify a set of DHCP options after you create them?

A. Yes, you can modify a set of DHCP options within 48 hours after creation and there are no VPCs associated with them. B. Yes, you can modify a set of DHCP options any time after you create them. C. No, you can't modify a set of DHCP options after you create them. D. Yes, you can modify a set of DHCP options within 24 hours after creatio

Answer: C

Explanation: After you create a set of DHCP options, you can't modify them. If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC. You can also set up your VPC to use no DHCP options at all. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html

NEW QUESTION 94 A bucket owner has allowed another account’s IAM users to upload or access objects in his bucket. The IAM user of Account A is trying to access an object created by the IAM user of account B. What will happen in this scenario?

A. It is not possible to give permission to multiple IAM users B. AWS S3 will verify proper rights given by the owner of Account A, the bucket owner as well as by the IAM user B to the object C. The bucket policy may not be created as S3 will give error due to conflict of Access Rights D. It is not possible that the IAM user of one account accesses objects of the other IAM user

Answer: B

Explanation: If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner. Reference: http://docs.aws.amazon.com/AmazonS3/Iatest/dev/access-control-auth-workflow-object-operation.htmI

NEW QUESTION 98 Which statement is NOT true about a stack which has been created in a Virtual Private Cloud (VPC) in AWS OpsWorks?

A. Subnets whose instances cannot communicate with the Internet are referred to as public subnets. B. Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets. C. All instances in the stack should have access to any package repositories that your operating system depends on, such as the Amazon Linux or Ubuntu Linux repositories. D. Your app and custom cookbook repositories should be accessible for all instances in the stac

Answer: A

Explanation: In AWS OpsWorks, you can control user access to a stack's instances by creating it in a virtual private cloud (VPC). For example, you might not want users to have direct access to your stack's app servers or databases and instead require that all public traffic be channeled through an Elastic Load Balancer. A VPC consists of one or more subnets, each of which contains one or more instances. Each subnet has an associated routing table that directs outbound traffic based on its destination IP address. Instances within a VPC can generally communicate with each other, regardless of their subnet. Subnets whose instances can communicate with the Internet are referred to as public subnets. Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets. AWS OpsWorks requires the VPC to be configured so that every instance in the stack, including instances in private subnets, has access to the following endpoints: The AWS OpsWorks service, https://opsworks-instance-service.us-east-1.amazonaws.com . Amazon S3 The package repositories for Amazon Linux or Ubuntu 12.04 LTS, depending on which operating system you specify. Your app and custom cookbook repositories. Reference: http://docs.aws.amazon.com/opsworks/latest/userguide/workingstacks-vpc.htmI#workingstacks-vpc-basi cs

NEW QUESTION 102 What RAID method is used on the Cloud Block Storage back-end to implement a very high level of reliability and performance?

A. RAID 1 (Mirror) B. RAID 5 (Blocks striped, distributed parity) C. RAID 10 (Blocks mirrored and striped) D. RAID 2 (Bit level striping)

Answer: C

Explanation: Cloud Block Storage back-end storage volumes employs the RAID 10 method to provide a very high level of reliability and performance. Reference: http://www.rackspace.com/knowIedge_center/product-faq/cloud-block-storage

NEW QUESTION 105 One of the AWS account owners faced a major challenge in June as his account was hacked and the hacker deleted all the data from his AWS account. This resulted in a major blow to the business. Which of the below mentioned steps would not have helped in preventing this action?

A. Setup an MFA for each user as well as for the root account user. B. Take a backup of the critical data to offsite / on premise. C. Create an AMI and a snapshot of the data at regular intervals as well as keep a copy to separate regions. D. Do not share the AWS access and secret access keys with others as well do not store it inside programs, instead use IAM roles.

Answer: C

Explanation: AWS security follows the shared security model where the user is as much responsible as Amazon. If the user wants to have secure access to AWS while hosting applications on EC2, the first security rule to follow is to enable MFA for all users. This will add an added security layer. In the second step, the user should never give his access or secret access keys to anyone as well as store inside programs. The better solution is to use IAM roles. For critical data of the organization, the user should keep an offsite/ in premise backup which will help to recover critical data in case of security breach. It is recommended to have AWS AMIs and snapshots as well as keep them at other regions so that they will help in the DR scenario. However, in case of a data security breach of the account they may not be very helpful as hacker can delete that. Therefore ,creating an AMI and a snapshot of the data at regular intervals as well as keep a copy to separate regions, would not have helped in preventing this action. Reference: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf

NEW QUESTION 106 With Amazon Elastic MapReduce (Amazon EMR) you can analyze and process vast amounts of data. The cluster is managed using an open-source framework called Hadoop. You have set up an application to run Hadoop jobs. The application reads data from DynamoDB and generates a temporary file of 100 TBs. The whole process runs for 30 minutes and the output of the job is stored to S3. Which of the below mentioned options is the most cost effective solution in this case?

A. Use Spot Instances to run Hadoop jobs and configure them with EBS volumes for persistent data storage. B. Use Spot Instances to run Hadoop jobs and configure them with ephermal storage for output file storage. C. Use an on demand instance to run Hadoop jobs and configure them with EBS volumes for persistent storage. D. Use an on demand instance to run Hadoop jobs and configure them with ephemeral storage for output file storage.

Answer: B

Explanation: AWS EC2 Spot Instances allow the user to quote his own price for the EC2 computing capacity. The user can simply bid on the spare Amazon EC2 instances and run them whenever his bid exceeds the current Spot Price. The Spot Instance pricing model complements the On-Demand and Reserved Instance pricing models, providing potentially the most cost-effective option for obtaining compute capacity, depending on the application. The only challenge with a Spot Instance is data persistence as the instance can be terminated whenever the spot price exceeds the bid price. In the current scenario a Hadoop job is a temporary job and does not run for a longer period. It fetches data from a persistent DynamoDB. Thus, even if the instance gets terminated there will be no data loss and the job can be re-run. As the output files are large temporary files, it will be useful to store data on ephermal storage for cost savings. Reference: http://aws.amazon.com/ec2/purchasing-options/spot-instances/

NEW QUESTION 110 In Amazon SNS, to send push notifications to mobile devices using Amazon SNS and ADM, you need to obtain the following, except:

A. Device token B. Client ID C. Registration ID D. Client secret

Answer: A

Explanation: To send push notifications to mobile devices using Amazon SNS and ADM, you need to obtain the following: Registration ID and Client secret. Reference: http://docs.aws.amazon.com/sns/latest/dg/SNSMobi|ePushPrereq.htmI

NEW QUESTION 111 Which of the following is true while using an IAM role to grant permissions to applications running on Amazon EC2 instances?

A. All applications on the instance share the same role, but different permissions. B. All applications on the instance share multiple roles and permissions. C. MuItipIe roles are assigned to an EC2 instance at a time. D. Only one role can be assigned to an EC2 instance at a tim

Answer: D

Explanation: Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/role-usecase-ec2app.htmI

NEW QUESTION 114 Attempts, one of the three types of items associated with the schedule pipeline in the AWS Data Pipeline, provides robust data management. Which of the following statements is NOT true about Attempts?

A. Attempts provide robust data management. B. AWS Data Pipeline retries a failed operation until the count of retries reaches the maximum number of allowed retry attempts. C. An AWS Data Pipeline Attempt object compiles the pipeline components to create a set of actionable instances. D. AWS Data Pipeline Attempt objects track the various attempts, results, and failure reasons if applicable.

Answer: C

Explanation: Attempts, one of the three types of items associated with a schedule pipeline in AWS Data Pipeline, provides robust data management. AWS Data Pipeline retries a failed operation. It continues to do so until the task reaches the maximum number of allowed retry attempts. Attempt objects track the various attempts, results, and failure reasons if applicable. Essentially, it is the instance with a counter. AWS Data Pipeline performs retries using the same resources from the previous attempts, such as Amazon EMR clusters and EC2 instances. Reference: http://docs.aws.amazon.com/datapipeline/latest/DeveIoperGuide/dp-how-tasks-scheduled.htmI

NEW QUESTION 118 Select the correct statement about Amazon EIastiCache.

A. It makes it easy to set up, manage, and scale a distributed in-memory cache environment in the cloud. B. It allows you to quickly deploy your cache environment only if you install software. C. It does not integrate with other Amazon Web Services. D. It cannot run in the Amazon Virtual Private Cloud (Amazon VPC) environmen

Answer: A

Explanation: EIastiCache is a web service that makes it easy to set up, manage, and scale a distributed in-memory cache environment in the cloud. It provides a high- performance, scalable, and cost-effective caching solution, while removing the complexity associated with deploying and managing a distributed cache environment. With EIastiCache, you can quickly deploy your cache environment, without having to provision hardware or install software.

Reference: http://docs.aws.amazon.com/AmazonE|astiCache/latest/UserGuide/Whatls.html

NEW QUESTION 121 In Amazon RDS for PostgreSQL, you can provision up to 3TB storage and 30,000 IOPS per database instance. For a workload with 50% writes and 50% reads running on a cr1.8xIarge instance, you can realize over 25,000 IOPS for PostgreSQL. However, by provisioning more than this limit, you may be able to achieve:

A. higher latency and lower throughput. B. lower latency and higher throughput. C. higher throughput only. D. higher latency onl

Answer: B

Explanation: You can provision up to 3TB storage and 30,000 IOPS per database instance. For a workload with 50% writes and 50% reads running on a cr1.8xIarge instance, you can realize over 25,000 IOPS for PostgreSQL. However, by provisioning more than this limit, you may be able to achieve lower latency and higher throughput. Your actual realized IOPS may vary from the amount you provisioned based on your database workload, instance type, and database engine choice. Reference: https://aws.amazon.com/rds/postgresq|/

NEW QUESTION 124 AWS Direct Connect itself has NO specific resources for you to control access to. Therefore, there are no AWS Direct Connect Amazon Resource Names (ARNs) for you to use in an Identity and Access Nlanagement (IAM) policy. With that in mind, how is it possible to write a policy to control access to AWS Direct Connect actions?

A. You can leave the resource name field blank. B. You can choose the name of the AWS Direct Connection as the resource. C. You can use an asterisk (*) as the resource. D. You can create a name for the resourc

Answer: C

Explanation: AWS Direct Connect itself has no specific resources for you to control access to. Therefore, there are no AWS Direct Connect ARNs for you to use in an IAM policy. You use an asterisk (*) as the resource when writing a policy to control access to AWS Direct Connect actions. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/using_iam.htmI

NEW QUESTION 129 Regarding Identity and Access Management (IAM), Which type of special account belonging to your application allows your code to access Google services programmatically?

A. Service account B. Simple Key C. OAuth D. Code account

Answer: A

Explanation: A service account is a special Google account that can be used by applications to access Google services programmatically. This account belongs to your application or a virtual machine (VM), instead of to an indMdual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved. A service account can have zero or more pairs of service account keys, which are used to authenticate to Google. A service account key is a public/private keypair generated by Google. Google retains the public key, while the user is given the private key. Reference: https://cloud.googIe.com/iam/docs/service-accounts

NEW QUESTION 131 An organization is planning to use NoSQL DB for its scalable data needs. The organization wants to host an application securely in AWS VPC. What action can be recommended to the organization?

A. The organization should setup their own NoSQL cluster on the AWS instance and configure route tables and subnets. B. The organization should only use a DynamoDB because by default it is always a part of the default subnet provided by AWS. C. The organization should use a DynamoDB while creating a table within the public subnet. D. The organization should use a DynamoDB while creating a table within a private subne

Answer: A

NEW QUESTION 133 You create a VPN connection, and your VPN device supports Border Gateway Protocol (BGP). Which of the following should be specified to configure the VPN connection?

A. Classless routing

B. Classfull routing C. Dynamic routing D. Static routing

Answer: C

Explanation: If you create a VPN connection, you must specify the type of routing that you plan to use, which will depend upon on the make and model of your VPN devices. If your VPN device supports Border Gateway Protocol (BGP), you need to specify dynamic routing when you configure your VPN connection. If your device does not support BGP, you should specify static routing. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmI

NEW QUESTION 138 An organization has developed an application which provides a smarter shopping experience. They need to show a demonstration to various stakeholders who may not be able to access the in premise application so they decide to host a demo version of the application on AWS. Consequently they will need a fixed elastic IP attached automatically to the instance when it is launched. In this scenario which of the below mentioned options will not help assign the elastic IP automatically?

A. Write a script which will fetch the instance metadata on system boot and assign the public IP using that metadata. B. Provide an elastic IP in the user data and setup a bootstrapping script which will fetch that elastic IP and assign it to the instance. C. Create a controlling application which launches the instance and assigns the elastic IP based on the parameter provided when that instance is booted. D. Launch instance with VPC and assign an elastic IP to the primary network interfac

Answer: A

Explanation: EC2 allows the user to launch On-Demand instances. If the organization is using an application temporarily only for demo purposes the best way to assign an elastic IP would be: Launch an instance with a VPC and assign an EIP to the primary network interface. This way on every instance start it will have the same IP Create a bootstrapping script and provide it some metadata, such as user data which can be used to assign an EIP Create a controller instance which can schedule the start and stop of the instance and provide an EIP as a parameter so that the controller instance can check the instance boot and assign an EIP The instance metadata gives the current instance data, such as the public/private IP. It can be of no use for assigning an EIP. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html

NEW QUESTION 143 Can a Direct Connect link be connected directly to the Internet?

A. Yes, this can be done if you pay for it. B. Yes, this can be done only for certain regions. C. Yes D. No

Answer: D

Explanation: AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud service. Hence, a Direct Connect link cannot be connected to the Internet directly. Reference: http://aws.amazon.com/directconnect/faqs/

NEW QUESTION 148 True or False: The Amazon EIastiCache clusters are not available for use in VPC at this time.

A. TRUE B. True, but they are available only in the GovCIoud. C. True, but they are available only on request. D. FALSE

Answer: D

Explanation: Amazon Elasticache clusters can be run in an Amazon VPC. With Amazon VPC, you can define a virtual network topology and customize the network configuration to closely resemble a traditional network that you might operate in your own datacenter. You can now take advantage of the manageability, availability and scalability benefits of Amazon EIastiCache Clusters in your own isolated network. The same functionality of Amazon EIastiCache, including automatic failure detection, recovery, scaling, auto discovery, Amazon CIoudWatch metrics, and software patching, are now available in Amazon VPC. Reference: http://aws.amazon.com/about-aws/whats-new/2012/12/20/amazon-elasticache-announces-support-for-a mazon-vpc/

NEW QUESTION 150 Identify a true statement about using an IAM role to grant permissions to applications running on Amazon EC2 instances.

A. When AWS credentials are rotated, developers have to update only the root Amazon EC2 instance that uses their credentials. B. When AWS credentials are rotated, developers have to update only the Amazon EC2 instance on which the password policy was applied and which uses their credentials. C. When AWS credentials are rotated, you don't have to manage credentials and you don't have to worry about long-term security risks. D. When AWS credentials are rotated, you must manage credentials and you should consider precautions for long-term security risks.

Answer: C

Explanation:

Using IAM roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. Because role credentials are temporary and rotated automatically, you don't have to manage credentials, and you don't have to worry about long-term security risks. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/role-usecase-ec2app.htmI

NEW QUESTION 154 Out of the striping options available for the EBS volumes, which one has the following disadvantage: 'Doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you're mirroring all writes to a pair of volumes, limiting how much you can stripe.'?

A. Raid 1 B. Raid 0 C. RAID 1+0 (RAID 10) D. Raid 2

Answer: C

Explanation: RAID 1+0 (RAID 10) doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you're mirroring all writes to a pair of volumes, limiting how much you can stripe. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/raid-config.html

NEW QUESTION 156 In the context of IAM roles for Amazon EC2, which of the following NOT true about delegating permission to make API requests?

A. You cannot create an IAM role. B. You can have the application retrieve a set of temporary credentials and use them. C. You can specify the role when you launch your instances. D. You can define which accounts or AWS services can assume the rol

Answer: A

Explanation: Amazon designed IANI roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles as follows: Create an IAM role. Define which accounts or AWS services can assume the role. Define which API actions and resources the application can use after assuming the role. Specify the role when you launch your instances. Have the application retrieve a set of temporary credentials and use them. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

NEW QUESTION 161 In the context of Amazon E|astiCache CLI, which of the following commands can you use to view all EIastiCache instance events for the past 24 hours?

A. elasticache-events --duration 24 B. elasticache-events --duration 1440 C. elasticache-describe-events --duration 24 D. elasticache describe-events --source-type cache-cluster --duration 1440

Answer: D

Explanation: In Amazon EIastiCache, the code "aws elasticache describe-events --source-type cache-cluster --duration 1440" is used to list the cache-cluster events for the past 24 hours (1440 minutes). Reference: http://docs.aws.amazon.com/AmazonEIastiCache/Iatest/UserGuide/ECEvents.Viewing.html

NEW QUESTION 162 In Amazon Cognito what is a silent push notification?

A. It is a push message that is received by your application on a user's device that will not be seen by theusen B. It is a push message that is received by your application on a user's device that will return the user's geolocation. C. It is a push message that is received by your application on a user's device that will not be heard by the usen D. It is a push message that is received by your application on a user's device that will return the user's authentication credentials.

Answer: A

Explanation: Amazon Cognito uses the Amazon Simple Notification Service (SNS) to send silent push notifications to devices. A silent push notification is a push message that is received by your application on a user's device that will not be seen by the user. Reference: http://aws.amazon.com/cognito/faqs/

NEW QUESTION 165 How does AWS Data Pipeline execute actMties on on-premise resources or AWS resources that you manage?

A. By supplying a Task Runner package that can be installed on your on-premise hosts B. None of these C. By supplying a Task Runner file that the resources can access for execution D. By supplying a Task Runnerjson script that can be installed on your on-premise hosts

Answer: A

Explanation: To enable running actMties using on-premise resources, AWS Data Pipeline does the following: It supply a Task Runner package that can be installed on your on- premise hosts. This package continuously polls the AWS Data Pipeline service for work to perform. When it’s time to run a particular actMty on your on-premise resources, it will issue the appropriate command to the Task Runner. Reference: https://aws.amazon.com/datapipe|ine/faqs/

NEW QUESTION 168 You are setting up some EBS volumes for a customer who has requested a setup which includes a RAID (redundant array of inexpensive disks). AWS has some recommendations for RAID setups. Which RAID setup is not recommended for Amazon EBS?

A. RAID 1 only B. RAID 5 only C. RAID 5 and RAID 6 D. RAID 0 only

Answer: C

Explanation: With Amazon EBS, you can use any of the standard RAID configurations that you can use with a traditional bare metal server, as long as that particular RAID configuration is supported by the operating system for your instance. This is because all RAID is accomplished at the software level. For greater I/O performance than you can achieve with a single volume, RAID 0 can stripe multiple volumes together; for on-instance redundancy, RAID 1 can mirror two volumes together. RAID 5 and RAID 6 are not recommended for Amazon EBS because the parity write operations of these RAID modes consume some of the IOPS available to your volumes. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/raid-config.html

NEW QUESTION 170 In the context of AWS Cloud Hardware Security ModuIe(HSM), does your application need to reside in the same VPC as the CIoudHSM instance?

A. No, but the sewer or instance on which your application and the HSNI client is running must have network (IP) reachability to the HSNI. B. Yes, always C. No, but they must reside in the same Availability Zone. D. No, but it should reside in same Availability Zone as the DB instanc

Answer: A

Explanation: Your application does not need to reside in the same VPC as the CIoudHSM instance. However, the server or instance on which your application and the HSM client is running must have network (IP) reachability to the HSM. You can establish network connectMty in a variety of ways, including operating your application in the same VPC, with VPC peering, with a VPN connection, or with Direct Connect. Reference: https://aws.amazon.com/cIoudhsm/faqs/

NEW QUESTION 174 True or False: In Amazon EIastiCache, you can use Cache Security Groups to configure the cache clusters that are part of a VPC.

A. FALSE B. TRUE C. True, this is applicable only to cache clusters that are running in an Amazon VPC environment. D. True, but only when you configure the cache clusters using the Cache Security Groups from the console navigation pane.

Answer: A

Explanation: Amazon EIastiCache cache security groups are only applicable to cache clusters that are not running in an Amazon Virtual Private Cloud environment (VPC). If you are running in an Amazon Virtual Private Cloud, Cache Security Groups is not available in the console navigation pane. Reference: http://docs.aws.amazon.com/AmazonEIastiCache/Iatest/UserGuide/CacheSecurityGroup.html

NEW QUESTION 178 What is the role of the PoIIForTask action when it is called by a task runner in AWS Data Pipeline?

A. It is used to retrieve the pipeline definition. B. It is used to report the progress of the task runner to AWS Data Pipeline. C. It is used to receive a task to perform from AWS Data Pipeline. D. It is used to inform AWS Data Pipeline of the outcome when the task runner completes a tas

Answer: C

Explanation: Task runners call Po||ForTask to receive a task to perform from AWS Data Pipeline. If tasks are ready in the work queue, PoIIForTask returns a response immediately. If no tasks are available in the queue, PoIIForTask uses long-polling and holds on to a poll connection for up to 90 seconds, during which time any newly scheduled tasks are handed to the task agent. Your remote worker should not call PoIIForTask again on the same worker group until it receives a response, and this may take up to 90 seconds. Reference: http://docs.aws.amazon.com/datapipeline/latest/APIReference/AP|_Po||ForTask.htmI

NEW QUESTION 182 A user is trying to create a PIOPS EBS volume with 4000 IOPS and 100 GB size. AWS does not allow the user to create this volume. What is the possible root cause for this?

A. PIOPS is supported for EBS higher than 500 GB size B. The maximum IOPS supported by EBS is 3000 C. The ratio between IOPS and the EBS volume is higher than 30 D. The ratio between IOPS and the EBS volume is lower than 50

Answer: C

Explanation: A Provisioned IOPS (SSD) volume can range in size from 4 GiB to 16 TiB and you can provision up to 20,000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30; for example, a volume with 3000 IOPS must be atleast 100 GB. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVo|umeTypes.htmI#EBSVoIumeTypes_pio ps

NEW QUESTION 184 A user is planning to host a Highly Available system on the AWS VPC. Which of the below mentioned statements is helpful in this scenario?

A. Create VPC subnets in two separate availability zones and launch instances in different subnets. B. Create VPC with only one public subnet and launch instances in different AZs using that subnet. C. Create two VPCs in two separate zones and setup failover with ELB such that if one VPC fails it will divert traffic to another VPC. D. Create VPC with only one private subnet and launch instances in different AZs using that subne

Answer: A

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. The VPC is always specific to a region. The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span across zones. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.htmI#VPCSubnet

NEW QUESTION 187 What is a possible reason you would need to edit claims issued in a SAML token?

A. The Nameldentifier claim cannot be the same as the username stored in AD. B. Authentication fails consistently. C. The Nameldentifier claim cannot be the same as the claim URI. D. The Nameldentifier claim must be the same as the username stored in A

Answer: A

Explanation: The two reasons you would need to edit claims issued in a SAML token are: The Nameldentifier claim cannot be the same as the username stored in AD, and The app requires a different set of claim URIs. Reference: https://azure.microsoft.com/en-us/documentation/articles/active-directory-samI-cIaims-customization/

NEW QUESTION 192 What is the network performance offered by the c4.8xIarge instance in Amazon EC2?

A. Very High but variable B. 20 Gigabit C. 5 Gigabit D. 10 Gigabit

Answer: D

Explanation: Networking performance offered by the c4.8xIarge instance is 10 Gigabit. Reference: http://aws.amazon.com/ec2/instance-types/

NEW QUESTION 197 An organization is setting up a web application with the JEE stack. The application uses the JBoss app server and |V|ySQL DB. The application has a logging module which logs all the actMties whenever a business function of the JEE application is called. The logging actMty takes some time due to the large size of the log file. If the application wants to setup a scalable infrastructure which of the below mentioned options will help achieve this setup?

A. Host the log files on EBS with PIOPS which will have higher I/O. B. Host logging and the app server on separate sewers such that they are both in the same zone. C. Host logging and the app server on the same instance so that the network latency will be shorter. D. Create a separate module for logging and using SQS compartmentalize the module such that all calls to logging are asynchronous.

Answer: D

Explanation: The organization can always launch multiple EC2 instances in the same region across multiple AZs for HA and DR. The AWS architecture practice recommends compartmentalizing the functionality such that they can both run in parallel without affecting the performance of the main application. In this scenario logging takes a longer time due to the large size of the log file. Thus, it is recommended that the organization should separate them out and make separate modules and make asynchronous calls among them. This way the application can scale as per the requirement and the performance will not bear the impact of logging. Reference: http://www.awsarchitecturebIog.com/2014/03/aws-and-compartmentalization.htmI

NEW QUESTION 198 A user has set the IAM policy where it denies all requests if a request is not from IP 10.10.10.1/32. The other policy says allow all requests between 5 PM to 7 PM. What will happen when a user is requesting access from IP 55.109.10.12/32 at 6 PM?

A. It will deny access B. It is not possible to set a policy based on the time or IP C. IAM will throw an error for policy conflict D. It will allow access

Answer: A

Explanation: When a request is made, the AWS IAM policy decides whether a given request should be allowed or denied. The evaluation logic follows these rules: By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.) An explicit allow policy overrides this default. An explicit deny policy overrides any allows. In this case since there are explicit deny and explicit allow statements. Thus, the request will be denied since deny overrides allow. Reference: http://docs.aws.amazon.com/IAM/Iatest/UserGuide/AccessPoIicyLanguage_EvaIuationLogic.htmI

NEW QUESTION 200 You want to use Amazon Redshift and you are planning to deploy dw1.8xIarge nodes. What is the minimum amount of nodes that you need to deploy with this kind of configuration?

A. 1 B. 4 C. 3 D. 2

Answer: D

Explanation: For a single-node configuration in Amazon Redshift, the only option available is the smallest of the two options. The 8XL extra-large nodes are only available in a multi-node configuration Reference: http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-c|usters.htmI

NEW QUESTION 204 Mike is appointed as Cloud Consultant in ExamKi|Ier.com. ExamKiI|er has the following VPCs set-up in the US East Region: A VPC with CIDR block 10.10.0.0/16, a subnet in that VPC with CIDR block 10.10.1.0/24 A VPC with CIDR block 10.40.0.0/16, a subnet in that VPC with CIDR block 10.40.1.0/24 ExamKiIIer.com is trying to establish network connection between two subnets, a subnet with CIDR block 10.10.1.0/24 and another subnet with CIDR block 10.40.1.0/24. Which one of the following solutions should lV|ike recommend to ExamKiI|er.com?

A. Create 2 Virtual Private Gateways and configure one with each VPC. B. Create 2 Internet Gateways, and attach one to each VPC. C. Create a VPC Peering connection between both VPCs. D. Create one EC2 instance in each subnet, assign Elastic IPs to both instances, and configure a set up Site-to-Site VPN connection between both EC2 instances.

Answer: C

Explanation: A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. EC2 instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.htmI

NEW QUESTION 205 Can Provisioned IOPS be used on RDS instances launched in a VPC?

A. Yes, they can be used only with Oracle based instances. B. Yes, they can be used for all RDS instances. C. No D. Yes, they can be used only with MySQL based instance

Answer: B

Explanation: The basic building block of Amazon RDS is the DB instance. DB instance storage comes in three types: Magnetic, General Purpose (SSD), and Provisioned IOPS (SSD). When you buy a server, you get CPU, memory, storage, and IOPS, all bundled together. With Amazon RDS, these are split apart so that you can scale them independently. So, for example, if you need more CPU, less IOPS, or more storage, you can easily allocate them. Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/RDSFAQ.PIOPS.htmI

NEW QUESTION 210 To get started using AWS Direct Connect, in which of the following steps do you configure Border Gateway Protocol (BGP)?

A. Complete the Cross Connect B. Configure Redundant Connections with AWS Direct Connect

C. Create a Virtual Interface D. Download Router Configuration

Answer: C

Explanation: In AWS Direct Connect, your network must support Border Gateway Protocol (BGP) and BGP MD5 authentication, and you need to provide a private Autonomous System Number (ASN) for that to connect to Amazon Virtual Private Cloud (VPC). To connect to public AWS products such as Amazon EC2 and Amazon S3, you will also need to provide a public ASN that you own (preferred) or a private ASN. You have to configure BGP in the Create a Virtual Interface step. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.htmI#createvirtualinterface

NEW QUESTION 214 An organization is setting up their website on AWS. The organization is working on various security measures to be performed on the AWS EC2 instances. Which of the below mentioned security mechanisms will not help the organization to avoid future data leaks and identify security weaknesses?

A. Run penetration testing on AWS with prior approval from Amazon. B. Perform SQL injection for application testing. C. Perform a Code Check for any memory leaks. D. Perform a hardening test on the AWS instanc

Answer: C

Explanation: AWS security follows the shared security model where the user is as much responsible as Amazon. Since Amazon is a public cloud it is bound to be targeted by hackers. If an organization is planning to host their application on AWS EC2, they should perform the below mentioned security checks as a measure to find any security weakness/data leaks: Perform penetration testing as performed by attackers to find any vulnerability. The organization must take an approval from AWS before performing penetration testing Perform hardening testing to find if there are any unnecessary ports open Perform SQL injection to find any DB security issues The code memory checks are generally useful when the organization wants to improve the application performance. Reference: http://aws.amazon.com/security/penetration-testing/

NEW QUESTION 219 In Amazon EIastiCache, the default cache port is:

A. for Memcached 11210 and for Redis 6380. B. for Memcached 11211 and for Redis 6380. C. for Memcached 11210 and for Redis 6379. D. for Memcached 11211 and for Redis 6379.

Answer: D

Explanation: In Amazon EIastiCache, you can specify a new port number for your cache cluster, which by default is 11211 for Memcached and 6379 for Redis. Reference: http://docs.aws.amazon.com/AmazonEIastiCache/Iatest/UserGuide/GettingStarted.AuthorizeAccess.htm|

NEW QUESTION 220 Which of the following cannot be used to manage Amazon EIastiCache and perform administrative tasks?

A. AWS software development kits (SDKs) B. Amazon S3 C. EIastiCache command line interface (CLI) D. AWS CIoudWatch

Answer: D

Explanation: CIoudWatch is a monitoring tool and doesn't give users access to manage Amazon EIastiCache. Reference: http://docs.aws.amazon.com/AmazonEIastiCache/Iatest/UserGuide/Whatls.NIanaging.htmI

NEW QUESTION 221 Identify a true statement about the statement ID (Sid) in IAM.

A. You cannot expose the Sid in the IAM API. B. You cannot use a Sid value as a sub-ID for a policy document's ID for services provided by SQS and SNS. C. You can expose the Sid in the IAM API. D. You cannot assign a Sid value to each statement in a statement arra

Answer: A

Explanation: The Sid(statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid a value to each statement in a statement array. In IAM, the Sid is not exposed in the IAM API. You can't retrieve a particular statement based on this ID. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_poIicies_eIements.htmI#Sid

NEW QUESTION 224 In Amazon EIastiCache, which of the following statements is correct?

A. When you launch an EIastiCache cluster into an Amazon VPC private subnet, every cache node is assigned a public IP address within that subnet. B. You cannot use EIastiCache in a VPC that is configured for dedicated instance tenancy. C. If your AWS account supports only the EC2-VPC platform, E|astiCache will never launch your cluster in a VPC. D. EIastiCache is not fully integrated with Amazon Virtual Private Cloud (VPC).

Answer: B

Explanation: The VPC must allow non-dedicated EC2 instances. You cannot use EIastiCache in a VPC that is configured for dedicated instance tenancy. Reference: http://docs.aws.amazon.com/AmazonE|astiCache/latest/UserGuide/AmazonVPC.EC.htmI

NEW QUESTION 229 An organization, which has the AWS account ID as Q99988887777, has created 50 IAM users. All the users are added to the same group examkiller. If the organization has enabled that each IAM user can login with the AWS console, which AWS login URL will the IAM users use??

A. https://Q99988887777.aws.amazon.com/examkiIIer/ B. https://signin.aws.amazon.com/examki|Ier/ C. https://examkiller.signin.aws.amazon.com/999988887777/consoIe/ D. https://999988887777.signin.aws.amazon.com/consoIe/

Answer: D

Explanation: AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. Once the organization has created the IAM users, they will have a separate AWS console URL to login to the AWS console. The console login URL for the IAM user will be https:// AWS_Account_ID.signin.aws.amazon.com/consoIe/. It uses only the AWS account ID and does not depend on the group or user ID. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccountAIias.htmI

NEW QUESTION 232 You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.

A. Create IAM users in the Master account with full Admin permission B. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account. C. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts. D. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access. E. Link the accounts using Consolidated Billin F. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Answer: C

NEW QUESTION 236 You're running an application on-premises due to its dependency on non-x86 hardware and want to use AWS for data backup. Your backup application is only able to write to POSIX-compatible block-based storage. You have 140TB of data and would like to mount it as a single folder on your file server Users must be able to access portions of this data while the backups are taking place. What backup solution would be most appropriate for this use case?

A. Use Storage Gateway and configure it to use Gateway Cached volumes. B. Configure your backup software to use S3 as the target for your data backups. C. Configure your backup software to use Glacier as the target for your data backups. D. Use Storage Gateway and configure it to use Gateway Stored volume

Answer: A

NEW QUESTION 240 To serve Web traffic for a popular product your chief financial officer and IT director have purchased 10 ml large heavy utilization Reserved Instances (Rls) evenly spread across two availability zones: Route 53 is used to deliver the traffic to an Elastic Load Balancer (ELB). After several months, the product grows even more popular and you need additional capacity As a result, your company purchases two C3.2xIarge medium utilization Ris You register the two c3 2xIarge instances with your ELB and quickly find that the ml large instances are at 100% of capacity and the c3 2xIarge instances have significant capacity that's unused Which option is the most cost effective and uses EC2 capacity most effectively?

A. Configure Autoscaling group and Launch Configuration with ELB to add up to 10 more on-demand m1 .|arge instances when triggered by Cloudwatc B. Shut off c3.2x|arge instances. C. Configure ELB with two c3.2xIarge instances and use on-demand Autoscaling group for up to two additional c3.2x|arge instance D. Shut off m1 .Iarge instances. E. Route traffic to EC2 m1 .Iarge and c3.2xIarge instances directly using Route 53 latency based routing and health check F. Shut off ELB. G. Use a separate ELB for each instance type and distribute load to ELBs with Route 53 weighted round robin.

Answer: B

NEW QUESTION 243 You have deployed a web application targeting a global audience across multiple AWS Regions under the domain name.exampIe.com. You decide to use Route53 Latency-Based Routing to serve web requests to users from the region closest to the user. To provide business continuity in the event of server downtime you configure weighted record sets associated with two web servers in separate Availability Zones per region. Dunning a DR test you notice that when you disable all

A. Latency resource record sets cannot be used in combination with weighted resource record sets. B. You did not setup an HTTP health check to one or more of the weighted resource record sets associated with me disabled web sewers. C. The value of the weight associated with the latency alias resource record set in the region with the disabled sewers is higher than the weight for the other region. D. One of the two working web sewers in the other region did not pass its HTTP health check. E. You did not set "Evaluate Target Health" to "Yes" on the latency alias resource record set associated with example com in the region where you disabled the servers.

Answer: BE

NEW QUESTION 245 You have been asked to design the storage layer for an application. The application requires disk performance of at least 100,000 IOPS. In addition, the storage layer must be able to survive the loss of an indMdual disk, EC2 instance, or Availability Zone without any data loss. The volume you provide must have a capacity of at least 3 TB. Which of the following designs will meet these objectives?

A. Instantiate a c3.8x|arge instance in us-east-1. Provision 4x1TB EBS volumes, attach them to the instance, and configure them as a single RAID 5 volum B. Ensure that EBS snapshots are performed every 15 minutes. C. Instantiate a c3.8xIarge instance in us-east-1. Provision 3xITB EBS volumes, attach them to the Instance, and configure them as a single RAID 0 volum D. Ensure that EBS snapshots are performed every 15 minutes. E. Instantiate an i2.8xIarge instance in us-east-1 F. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc G. Provision 3x1TB EBS volumes, attach them to the instance, and configure them as a second RAID 0 volum H. Configure synchronous, block-level replication from the ephemeral-backed volume to the EBS-backed volume. I. Instantiate a c3.8xIarge instance in us-east-1. Provision an AWS Storage Gateway and configure it for 3 TB of storage and 100,000 IOP J. Attach the volume to the instance. K. Instantiate an i2.8xIarge instance in us-east-1 L. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc M. Configure synchronous, blocklevel replication to an identically configured instance in us-east-1b.

Answer: C

NEW QUESTION 248 A large real-estate brokerage is exploring the option o( adding a cost-effective location based alert to their existing mobile application The application backend infrastructure currently runs on AWS Users who opt in to this service will receive alerts on their mobile device regarding real-estate otters in proximity to their location. For the alerts to be relevant delivery time needs to be in the low minute count the existing mobile app has 5 million users across the US. Which one of the following architectural suggestions would you make to the customer?

A. The mobile application will submit its location to a web service endpoint utilizing Elastic Load Balancing and EC2 instances: DynamoDB will be used to store and retrieve relevant offers EC2 instances will communicate with mobile earners/device providers to push alerts back to mobile application. B. Use AWS DirectConnect or VPN to establish connectMty with mobile carriers EC2 instances will receive the mobile applications ' location through carrier connection: RDS will be used to store and relevant offers EC2 instances will communicate with mobile carriers to push alerts back to the mobile application C. The mobile application will send device location using SQ D. EC2 instances will retrieve the relevant others from DynamoDB AWS MobiIe Push will be used to send offers to the mobile application E. The mobile application will send device location using AWS Nlobile Push EC2 instances will retrieve the relevant offers from DynamoDB EC2 instances will communicate with mobile carriers/device providers to push alerts back to the mobile application.

Answer: A

NEW QUESTION 252 You currently operate a web application In the AWS US-East region The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM And RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?

A. Create a new C|oudTrai| trail with one new S3 bucket to store the logs and with the global services option selected Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. B. Create a new CIoudTraiI with one new S3 bucket to store the logs Configure SNS to send log file delivery notifications to your management system Use IAM roles and S3 bucket policies on the S3 bucket mat stores your logs. C. Create a new CIoudTraiI trail with an existing S3 bucket to store the logs and with the global services option selected Use S3 ACLs and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. D. Create three new CIoudTraiI trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Answer: A

NEW QUESTION 253 Your company has HQ in Tokyo and branch offices all over the world and is using a logistics software with a multi-regional deployment on AWS in Japan, Europe and US

A. The logistic software has a 3-tierarchitecture and currently uses MySQL 5.6 for data persistenc B. Each region has deployed its own database In the HQ region you run an hourly batch process reading data from every region to compute cross-regional reports that are sent by email to all offices this batch process must be completed as fast as possible to quickly optimize logistics how do you build the database architecture in order to meet the requirements’? C. For each regional deployment, use RDS MySQL with a master in the region and a read replica in theHQ region D. For each regional deployment, use NIySQL on EC2 with a master in the region and send hourly EBS snapshots to the HQ region E. For each regional deployment, use RDS MySQL with a master in the region and send hourly RDS snapshots to the HQ region F. For each regional deployment, use MySQL on EC2 with a master in the region and use S3 to copy data files hourly to the HQ region

G. Use Direct Connect to connect all regional MySQL deployments to the HQ region and reduce network latency for the batch process

Answer: A

NEW QUESTION 257 Company B is launching a new game app for mobile devices. Users will log into the game using their existing social media account to streamline data capture. Company B would like to directly save player data and scoring information from the mobile app to a DynamoDS table named Score Data When a user saves their game the progress data will be stored to the Game state S3 bucket. What is the best approach for storing data to DynamoDB and S3?

A. Use an EC2 Instance that is launched with an EC2 role providing access to the Score Data DynamoDB table and the GameState S3 bucket that communicates with the mobile app via web services. B. Use temporary security credentials that assume a role providing access to the Score Data DynamoDB table and the Game State S3 bucket using web identity federation. C. Use Login with Amazon allowing users to sign in with an Amazon account providing the mobile app with access to the Score Data DynamoDB table and the Game State S3 bucket. D. Use an IAM user with access credentials assigned a role providing access to the Score Data DynamoDB table and the Game State S3 bucket for distribution with the mobile app.

Answer: B

NEW QUESTION 260 You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet. Which of the following options would you consider? (Choose 2 answers)

A. Implement IDS/IPS agents on each Instance running In VPC B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic. C. Implement Elastic Load Balancing with SSL listeners In front of the web applications D. Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

Answer: BD

NEW QUESTION 265 An International company has deployed a multi-tier web application that relies on DynamoDB in a single region For regulatory reasons they need disaster recovery capability In a separate region with a Recovery Time Objective of 2 hours and a Recovery Point Objective of 24 hours. They should synchronize their data on a regular basis and be able to provision me web application rapidly using CIoudFormation. The objective is to minimize changes to the existing web application, control the throughput of DynamoDB used for the synchronization of data and synchronize only the modified elements. Which design would you choose to meet these requirements?

A. Use AWS data Pipeline to schedule a DynamoDB cross region copy once a day, create a"Lastupdated" attribute in your DynamoDB table that would represent the timestamp of the last update and use it as a filter. B. Use EMR and write a custom script to retrieve data from DynamoDB in the current region using a SCAN operation and push it to DynamoDB in the second region. C. Use AWS data Pipeline to schedule an export of the DynamoDB table to S3 in the current region once a day then schedule another task immediately after it that will import data from S3 to DynamoDB in the other region. D. Send also each Ante into an SQS queue in me second region; use an auto-scaling group behind the SQS queue to replay the write in the second region.

Answer: A

NEW QUESTION 266 You must architect the migration of a web application to AWS. The application consists of Linux web servers running a custom web server. You are required to save the logs generated from the application to a durable location. What options could you select to migrate the application to AWS? (Choose 2)

A. Create an AWS Elastic Beanstalk application using the custom web server platfor B. Specify the web server executable and the application project and source file C. Enable log file rotation to Amazon Simple Storage Service (S3). D. Create Dockerfile for the applicatio E. Create an AWS OpsWorks stack consisting of a custom laye F. Create custom recipes to install Docker and to deploy your Docker container using the Dockerfil G. Create customer recipes to install and configure the application to publish the logs to Amazon CIoudWatch Logs. H. Create Dockerfile for the applicatio I. Create an AWS OpsWorks stack consisting of a Docker layer that uses the Dockerfil J. Create custom recipes to install and configure Amazon Kineses to publish the logs into Amazon CIoudWatch. K. Create a Dockerfile for the applicatio L. Create an AWS Elastic Beanstalk application using the Docker platform and the Dockerfil M. Enable logging the Docker configuration to automatically publish the application log N. Enable log file rotation to Amazon S3. O. Use VM import/Export to import a virtual machine image of the server into AWS as an AM P. Create an Amazon Elastic Compute Cloud (EC2) instance from AMI, and install and configure the Amazon C|oudWatch Logs agen Q. Create a new AMI from the instanc R. Create an AWS Elastic Beanstalk application using the AMI platform and the new AMI.

Answer: AD

NEW QUESTION 267 Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed

A. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu B. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day C. CIoudFront to serve HLS transcoded videos from EC2. D. Elastic Transcoder to transcode original high-resolution MP4 videos to HL E. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day F. CIoudFront to serve HLS transcoded videos from EC2. G. Elastic Transcoder to transcode original high-resolution MP4 videos to HL H. S3 to host videos with Lifecycle Management to archive original files to Glacier after a few day I. C|oudFront to serve HLS transcoded videos from S3. J. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu K. S3 to host videos with Lifecycle Management to archive all files to Glacier after a few day L. CIoudFront to serve HLS transcoded videos from Glacier.

Answer: C

NEW QUESTION 271 You are running a news website in the eu-west-1 region that updates every 15 minutes. The website has a world-wide audience it uses an Auto Scaling group behind an Elastic Load Balancer and an Amazon RDS database Static content resides on Amazon S3, and is distributed through Amazon CIoudFront. Your Auto Scaling group is set to trigger a scale up event at 60% CPU utilization, you use an Amazon RDSextra large DB instance with 10.000 Provisioned IOPS its CPU utilization is around 80%. While freeable memory is in the 2 GB range. Web analytics reports show that the average load time of your web pages is around 1.5 to 2 seconds, but your SEO consultant wants to bring down the average load time to under 0.5 seconds. How would you improve page load times for your users? (Choose 3 answers)

A. Lower the scale up trigger of your Auto Scaling group to 30% so it scales more aggressively. B. Add an Amazon EIastiCache caching layer to your application for storing sessions and frequent DB quenes C. Configure Amazon CIoudFront dynamic content support to enable caching of re-usable content from your site D. Switch the Amazon RDS database to the high memory extra large Instance type E. Set up a second installation in another region, and use the Amazon Route 53 latency-based routing feature to select the right region.

Answer: ABD

NEW QUESTION 272 You are designing a personal document-archMng solution for your global enterprise with thousands of employee. Each employee has potentially gigabytes of data to be backed up in this archMng solution. The solution will be exposed to the employees as an application, where they can just drag and drop their files to the archMng system. Employees can retrieve their archives through a web interface. The corporate network has high bandwidth AWS Direct Connect connectMty to AWS. You have a regulatory requirement that all data needs to be encrypted before being uploaded to the cloud. How do you implement this in a highly available and cost-efficient way?

A. Manage encryption keys on-premises in an encrypted relational databas B. Set up an on-premises server with sufficient storage to temporarily store files, and then upload them to Amazon S3, providing a client-side master key. C. Mange encryption keys in a Hardware Security ModuIe (HSM) appliance on-premises serve r with sufficient storage to temporarily store, encrypt, and upload files directly into Amazon Glacier. D. Nlanage encryption keys in Amazon Key Management Service (KMS), upload to Amazon Simple Storage Service (S3) with client-side encryption using a KMS customer master key ID, and configure Amazon S3 lifecycle policies to store each object using the Amazon Glacier storage tier. E. Manage encryption keys in an AWS C|oudHSNI applianc F. Encrypt files prior to uploading on the employee desktop, and then upload directly into Amazon Glacier.

Answer: C

NEW QUESTION 277 A company is building a voting system for a popular TV show, viewers win watch the performances then visit the show's website to vote for their favorite performer. It is expected that in a short period of time after the show has finished the site will receive millions of visitors. The visitors will first login to the site using their Amazon.com credentials and then submit their vote. After the voting is completed the page will display the vote totals. The company needs to build the site such that can handle the rapid influx of traffic while maintaining good performance but also wants to keep costs to a minimum. Which of the design patterns below should they use?

A. Use CIoudFront and an Elastic Load balancer in front of an auto-scaled set of web servers, the web servers will first call the Login With Amazon service to authenticate the user then process the users vote and store the result into a multi-AZ Relational Database Service instance. B. Use CIoudFront and the static website hosting feature of S3 with the Javascript SDK to call the Login With Amazon service to authenticate the user, use IAM Roles to gain permissions to a DynamoDB tableto store the users vote. C. Use CIoudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login with Amazon service to authenticate the user, the web servers will process the users vote and store the result into a DynamoDB table using IAM Roles for EC2 instances to gain permissions to the DynamoDB table. D. Use CIoudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login With Amazon service to authenticate the user, the web sewers win process the users vote and store the result into an SQS queue using IAM Roles for EC2 Instances to gain permissions to the SQS queu E. A set of application sewers will then retrieve the items from the queue and store the result into a DynamoDB table.

Answer: D

NEW QUESTION 282

Dave is the main administrator in Example Corp., and he decides to use paths to help delineate the users in the company and set up a separate administrator group for each path-based dMsion. Following is a subset of the full list of paths he plans to use: . /marketing . /saIes .HegaI Dave creates an administrator group for the marketing part of the company and calls it NIarketing_Admin. He assigns it the /marketing path. The group's ARN is arn:aws:iam::123456789012:group/marketing/NIarketing_Admin. Dave assigns the following policy to the NIarketing_Admin group that gives the group permission to use all IAM actions with all groups and users in the /marketing path. The policy also gives the IV|arketing_Admin group permission to perform any AWS S3 actions on the objects in the portion of the corporate bucket. { "Version": "2012-10-I7", "Statement": [ { "Effect": "Deny", "Action": "iam:*", "Resource": [ "arn:aws:iam::123456789012:group/marketing/*", "arn:aws:iam::123456789012:user/marketing/*" I }, { "Effect": "A||ow", "Action": "s3:*", "Resource": "arn:aws:s3:::exampIe_bucket/marketing/*" }, { "Effect": "A||ow", "Action": "s3:ListBucket*", "Resource": "arn:aws:s3:::exampIe_bucket", "Condition":{"StringLike":{"s3:prefix": "marketing/*"}} I I I

A. True B. False

Answer: B

NEW QUESTION 287 You have an application running on an EC2 instance which will allow users to download files from a private S3 bucket using a pre-signed URL. Before generating the URL, the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?

A. Use the AWS account access keys; the application retrieves the credentials from the source code of the application. B. Create an IAM role for EC2 that allows list access to objects In the S3 bucket; launch the Instance with the role, and retrieve the roIe's credentials from the EC2 instance metadata. C. Create an IAM user for the application with permissions that allow list access to the S3 bucket; the application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the Application user. D. Create an IAM user for the application with permissions that allow list access to the S3 bucket; launch the instance as the IANI user, and retrieve the IAM user's credentials from the EC2 instance user data.

Answer: B

NEW QUESTION 291 Your company plans to host a large donation website on Amazon Web Sewices (AWS). You anticipate a large and undetermined amount of traffic that will create many database writes. To be certain that you do not drop any writes to a database hosted on AWS. Which sewice should you use?

A. Amazon RDS with provisioned IOPS up to the anticipated peak write throughput. B. Amazon Simple Queue Service (SQS) for capturing the writes and draining the queue to write to the database. C. Amazon EIastiCache to store the writes until the writes are committed to the database. D. Amazon DynamoDB with provisioned write throughput up to the anticipated peak write throughpu

Answer: B

NEW QUESTION 292 You've been brought in as solutions architect to assist an enterprise customer with their migration of an e-commerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3-tier VPC. The configuration is as follows: VPC: vpc-2f8bc447 IGW: igw-2d8bc445 NACL: ad-208bc448 Subnets and Route Tables: Web sewers: subnet-258bc44d Application servers: subnet-248bc44c Database sewers: subnet-9189c6f9 Route Tables: rrb-218bc449 rtb-238bc44b Associations: subnet-258bc44d : rtb-218bc449 subnet-248bc44c : rtb-238bc44b subnet-9189c6f9 : rtb-238bc44b You are now ready to begin deploying EC2 instances into the VPC Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these sewers to retrieve updates from the Internet?

A. Create a bastion and NAT instance in subnet-258bc44d, and add a route from rtb- 238bc44b to the NAT instance. B. Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within subnet-248bc44c. C. Create a bastion and NAT instance in subnet-248bc44c, and add a route from rtb- 238bc44b to subneb258bc44d. D. Create a bastion and NAT instance in subnet-258bc44d, add a route from rtb-238bc44b toIgw-2d8bc445, and a new NACL that allows access between subnet-258bc44d and subnet-248bc44

Answer: A

NEW QUESTION 293 An administrator is using Amazon CIoudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the CIoudFormation template which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?

A. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile. B. Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table. C. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance. D. Create an identity and Access Management user in the CIoudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.

Answer: C

NEW QUESTION 297 Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary You don't want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console Which option below will meet the needs for your NOC members?

A. Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console. B. Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console. C. Use your on-premises SAML 2.0-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint. D. Use your on-premises SAML2.0-compliam identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.

Answer: D

NEW QUESTION 302 You have an application running on an EC2 Instance which will allow users to download flies from a private S3 bucket using a pre-signed URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?

A. Use the AWS account access Keys the application retrieves the credentials from the source code of the application. B. Create an IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IANI user and retrieve the IAM user's credentials from the EC2 instance user data. C. Create an IAM role for EC2 that allows list access to objects in the S3 bucke D. Launch the instance with the role, and retrieve the roIe's credentials from the EC2 Instance metadata E. Create an IAM user for the application with permissions that allow list access to the S3 bucke F. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.

Answer: C

NEW QUESTION 303 A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CIoudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which actMty would be useful in defending against this attack?

A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (Internet Gateway) B. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Nlain Route Table with the new EIP C. Create 15 Security Group rules to block the attacking IP addresses over port 80 D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

Answer: D

NEW QUESTION 305 Select the correct set of options. These are the initial settings for the default security group:

A. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other B. Allow all inbound traffic, Allow no outbound traffic and Allow instances associated with this security group to talk to each other C. Allow no inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other D. Allow all inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other

Answer: A

NEW QUESTION 309 In AWS, which security aspects are the customer's responsibility? Choose 4 answers

A. Security Group and ACL (Access Control List) settings B. Decommissioning storage devices C. Patch management on the EC2 instance's operating system D. Life-cycle management of IAM credentials E. Controlling physical access to compute resources

F. Encryption of EBS (Elastic Block Storage) volumes

Answer: ACDF

NEW QUESTION 314 Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? Choose 3 answers

A. Implement third party volume encryption tools B. Implement SSL/TLS for all services running on the sewer C. Encrypt data inside your applications before storing it on EBS D. Encrypt data using native data encryption drivers at the file system level E. Do nothing as EBS volumes are encrypted by default

Answer: ACD

NEW QUESTION 318 A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entitled to login to instances as well as making API calls and the security officers who will maintain and have exclusive access to the appIication’s X.509 certificate that contains the private key.

A. Upload the certificate on an S3 bucket owned by the security officers and accessible only by EC2 Role of the web servers. B. Configure the web servers to retrieve the certificate upon boot from an CIoudHSM is managed by the security officers. C. Configure system permissions on the web servers to restrict access to the certificate only to the authority security officers D. Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.

Answer: D

NEW QUESTION 321 A web company is looking to implement an intrusion detection and prevention system into their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC. How should they architect their solution to achieve these goals?

A. Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see an traffic across the VPC. B. Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides. C. Configure sewers running in the VPC using the host-based 'route' commands to send all traffic through the platform to a scalable virtualized IDS/IPS. D. Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.

Answer: C

NEW QUESTION 323 You are designing Internet connectMty for your VPC. The Web sewers must be available on the Internet. The application must have a highly available architecture. Which alternatives should you consider? (Choose 2 answers)

A. Configure a NAT instance in your VPC Create a default route via the NAT instance and associate itwith all subnets Configure a DNS A record that points to the NAT instance public IP address. B. Configure a C|oudFront distribution and configure the origin to point to the private IP addresses of your Web sewers Configure a Route53 CNAME record to your CIoudFront distribution. C. Place all your web servers behind ELB Configure a Route53 CNMIE to point to the ELB DNS name. D. Assign EIPs to all web sewer E. Configure a Route53 record set with all E|Ps, with health checks and DNS failover. F. Configure ELB with an EIP Place all your Web servers behind ELB Configure a Route53 A record that points to the EIP.

Answer: CD

NEW QUESTION 325 You control access to S3 buckets and objects with:

A. Identity and Access Management (IAM) Policies. B. Access Control Lists (ACLs). C. Bucket Policies. D. All of the above

Answer: D

NEW QUESTION 326 The following policy can be attached to an IAM group. It lets an IAM user in that group access a "home directory" in AWS S3 that matches their user name using the console. { "Version": "2012-10-17", "Statement": [ { "Action": ["s3:*"], "Effect": "A||ow", "Resource": ["arn:aws:s3::zbucket-name"], "Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}} }! { "Action":["s3:*"], "Effect":"AI|ow", "Resource": ["arn:aws:s3:::bucket-name/home/${aws:username}/*"]

} }

A. True B. False

Answer: B

NEW QUESTION 327 What does elasticity mean to AWS?

A. The ability to scale computing resources up easily, with minimal friction and down with latency. B. The ability to scale computing resources up and down easily, with minimal friction. C. The ability to provision cloud computing resources in expectation of future demand. D. The ability to recover from business continuity events with minimal frictio

Answer: B

NEW QUESTION 328 The following are AWS Storage services? Choose 2 Answers

A. AWS Relational Database Service (AWS RDS) B. AWS EIastiCache C. AWS Glacier D. AWS Import/Export

Answer: BD

NEW QUESTION 332 You have launched an EC2 instance with four (4) 500 GB EBS Provisioned IOPS volumes attached. The EC2 instance is EBS-Optimized and supports 500 Mbps throughput between EC2 and EBS. The four EBS volumes are configured as a single RAID 0 device, and each Provisioned IOPS volume is provisioned with 4,000 IOPS (4,000 16KB reads or writes), for a total of 16,000 random IOPS on the instance. The EC2 instance initially delivers the expected 16,000 IOPS random read and write performance. Sometime later, in order to increase the total random I/O performance of the instance, you add an additional two 500 GB EBS Provisioned IOPS volumes to the RAID. Each volume is provisioned to 4,000 |OPs like the original four, for a total of 24,000 IOPS on the EC2 instance. Monitoring shows that the EC2 instance CPU utilization increased from 50% to 70%, but the total random IOPS measured at the instance level does not increase at all. What is the problem and a valid solution?

A. The EBS-Optimized throughput limits the total IOPS that can be utilized; use an EBSOptimized instance that provides larger throughput. B. Small block sizes cause performance degradation, limiting the I/O throughput; configure the instance device driver and filesystem to use 64KB blocks to increase throughput. C. The standard EBS Instance root volume limits the total IOPS rate; change the instance root volume to also be a 500GB 4,000 Provisioned IOPS volume. D. Larger storage volumes support higher Provisioned IOPS rates; increase the provisioned volume storage of each of the 6 EBS volumes to 1TB. E. RAID 0 only scales linearly to about 4 devices; use RAID 0 with 4 EBS Provisioned IOPS volumes, but increase each Provisioned IOPS EBS volume to 6,000 IOPS.

Answer: C

NEW QUESTION 335 Your company is storing millions of sensitive transactions across thousands of 100-GB files that must be encrypted in transit and at rest. Analysts concurrently depend on subsets of files, which can consume up to 5 TB of space, to generate simulations that can be used to steer business decisions. You are required to design an AWS solution that can cost effectively accommodate the long-term storage and in-flight subsets of data.

A. Use Amazon Simple Storage Service (S3) with server-side encryption, and run simulations on subsets in ephemeral drives on Amazon EC2. B. Use Amazon S3 with server-side encryption, and run simulations on subsets in-memory on Amazon EC2. C. Use HDFS on Amazon EMR, and run simulations on subsets in ephemeral drives on Amazon EC2. D. Use HDFS on Amazon Elastic MapReduce (EMR), and run simulations on subsets in-memory on Amazon Elastic Compute Cloud (EC2). E. Store the full data set in encrypted Amazon Elastic Block Store (EBS) volumes, and regularly capturesnapshots that can be cloned to EC2 workstation

Answer: D

NEW QUESTION 340 ......

Thank You for Trying Our Product

We offer two products:

1st - We have Practice Tests Software with Actual Exam Questions

2nd - Questons and Answers in PDF Format

AWS-Certified-Solutions-Architect-Professional Practice Exam Features:

* AWS-Certified-Solutions-Architect-Professional Questions and Answers Updated Frequently

* AWS-Certified-Solutions-Architect-Professional Practice Questions Verified by Expert Senior Certified Staff

* AWS-Certified-Solutions-Architect-Professional Most Realistic Questions that Guarantee you a Pass on Your FirstTry

* AWS-Certified-Solutions-Architect-Professional Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

100% Actual & Verified — Instant Download, Please Click Order The AWS-Certified-Solutions-Architect-Professional Practice Test Here

Guaranteed success with Our exam guides visit - https://www.certshared.com